[SOLVED] Azure B2C Just in Time (JIT) migration writing MFA phone and MFA email to user profile

Azure B2C Just in Time (JIT) migration writing MFA phone and MFA email to user profile

I am using a REST API to validate user legacy credentials and if successful and if needToMigrate = local I am attempting to create the user with username being main identity. It works but I need to be able to write the phone number and email to the user's profile for MFA flow. Since the email/phone coming from legacy system they are verified and I do not want to let the user re-verify or let them enter new email/phone. I need both email and phone to be written to the profile as the custom journey will let them choose the MFA method and use email or phone for MFA.

Below is the technical profile I am modifying for writing the user to the directory. REST API returns "email" and "phone"(which is mapped to strongAuthenticationPhoneNumber claim). How can I write email and phone to users profile and make sure they are used for the sign in with MFA flow?

<TechnicalProfile Id="AAD-UserWriteUsingLogonName">
    <Metadata>
        <Item Key="Operation">Write</Item>
        <Item Key="RaiseErrorIfClaimsPrincipalAlreadyExists">true</Item>
    </Metadata>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" Required="true" />
    </InputClaims>
    <PersistedClaims>
        <PersistedClaim ClaimTypeReferenceId="signInName" PartnerClaimType="signInNames.userName" />
        <PersistedClaim ClaimTypeReferenceId="email" PartnerClaimType="strongAuthenticationEmailAddress" />
        <PersistedClaim ClaimTypeReferenceId="newPassword" PartnerClaimType="password" />
        <PersistedClaim ClaimTypeReferenceId="displayName" DefaultValue="SomeDefaultDisplayNameValue" />
        <!--WHAT TO DO HERE FOR EMAIL AND PHONE-->
                        
        <!-- Optional claims. -->
        <PersistedClaim ClaimTypeReferenceId="givenName" />
        <PersistedClaim ClaimTypeReferenceId="surname" />
    </PersistedClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="objectId" />
        <OutputClaim ClaimTypeReferenceId="newUser" PartnerClaimType="newClaimsPrincipalCreated" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
        <OutputClaim ClaimTypeReferenceId="userPrincipalName" />
    </OutputClaims>
    <IncludeTechnicalProfile ReferenceId="AAD-Common" />
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>

Solution

To store the mfa phond #, you could add

<PersistedClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />

To store MFA email, if it’s different to the sign in email, you could persist to an extension attribute. Otherwise, if it is the same as their logon email, then just use the signInName attribute to read the mfa email upon verification.